What is the best approach for creating a password-less login system?
I’m thinking to use some sort of randomly generated 16 character token, for example:
I’m developing a quotation system and the idea is that the suppliers don’t have to register, instead I create their account for them and all they have to do is click the link in their email in order to submit a quote. This will encourage suppliers to submit a quote, as they’ll know they don’t need to register or log in.
There isn’t much harm that someone could do should they happen to guess the token, but I’d still like to make the system as secure as I can without requiring a password.
A token would be fine, I would use an MD5 or SHA1 hash for it.
But so you are aware, which it seems you are, this can be sniffed by packet sniffers, especially through email, so just know that. But if that is not an issue, I do not see a problem with using a token for a supplier. If it does get sniffed or abused, simply re-generate a new token for them.
Hope that helps.
That’s a pretty common approach. The trick is to make sure the token is unique. I have used a GUID value in the past.
It all boils down to what is the risk vs the reward.
What is the risk that someone else could use that token to access your system. Since it’s being sent via clear-text email the risk is probably moderate. (An attacker would have to be listening on their network or between you and their email host. Still not easy).
What’s the reward. The attacker could submit a quote in the company’s name. How bad is that? That is up to you.
Another risk I could see is if a company submits a quote and then later decides they don’t want to honor it. They could just say they didn’t submit it. Someone else must have done so in their name. Again, likelihood of this is probably not very high and could be dealt with in other ways.
Well wouldn’t your token be like a password a little bit? You could also redirect them to a special site, where they have to click a button spezified in the mail, to verify their identidy( or let them enter a pin from the mail), so you can be sure not to send all critical data per GET but per POST(important in a public place)
Hope I could help
If they get some sort of daily email, you could generate a separate unique ID for each link. Or expire them after a specific period, and give them an update via email once every x days.
How big of a deal is it if someone guesses an ID or gets someone elses?
Also, why only 16 characters? They’re not having to type it, so why not make it longer?
$urlToken = md5( reverse(md5($key)) . md5( right(md5(key), 16) . left(md5(key),16) );
Would create a 64 character token.
You could try a uuid:
<?php $uuid = `uuidgen`; echo $uuid; ?>